-
Notifications
You must be signed in to change notification settings - Fork 58
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Xynnn007 Thanks a lot!. This is an important PR and plays a great role in our follow-up work. Here are some small questions and comments...
BTW, the changes in this PR will make the current sample_keyprovider
unusable. Is there a plan to modify the sample_keyprovider
?
d215eca
to
0050dcd
Compare
@jialez0 Thanks a lot for deep diving... I will update the keyprovider and related documents in the next PR. For sample-key provider, there might be two ways:
I prefer way 2, some related work has already been done in image-rs confidential-containers/guest-components#85 . And we can get rid of those encrypted images using sample-kbc then (if any). Finally we can mark sample kbc deprecated in code and give a compiling warning or directly deleted the related code |
Hi @stevenhorsman @liudalibj this pr will influence the behavior of |
string KbcName = 1; | ||
string KbsUri = 2; | ||
string ResourceDescription = 3; | ||
string ResourceUri = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the Proto here, as kbsUri is part of the resourceUri. KbcName now still matters and I think we can open an issuer later to talk about https://github.com/confidential-containers/attestation-agent/issues/99 on both image-rs side and kata-agent side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one offline_fs_kbc test case need be updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick action, the whole PR looks good to me.
e01a7bf
to
6febca2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few initial comments.
@@ -62,6 +63,18 @@ pub mod tests { | |||
#[allow(dead_code)] | |||
pub const RESOURCES_NAME: &str = "aa-offline_fs_kbc-resources.json"; | |||
|
|||
pub const KBS_URI_PREFIX: &str = "kbs://example.org/"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if we use the offline_fs_kbs the resource request must have kbs://example.org/
in it? That seems a bit inconvenient. Wouldn't it be better to just ignore whatever KBS address is provided?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do not need the kbs://example.org/
in it. We will ignore the KBS address if offline_fs_kbc
is used. Here the const
is defined to work with resource_path!
macro which is to convert a whole uri into a path without KBS address.
@@ -49,7 +49,9 @@ impl KbcInterface for OnlineSevKbc { | |||
} | |||
|
|||
async fn decrypt_payload(&mut self, annotation_packet: AnnotationPacket) -> Result<Vec<u8>> { | |||
let key = self.get_key_from_kbs(annotation_packet.kid).await?; | |||
let key = self | |||
.get_key_from_kbs(annotation_packet.kid.resource_path()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we aren't using the resource uri for image decryption keys?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we are. In online-sev-kbc, it also defines its own kbs address like cc-kbc and the get_key_from_kbs
only makes a gRPC request containing the key id to kbs. So here we only need to extract the <repository>/<type>/<tag>
(what resource_path()
does) and ignore the uri of kbs. (like get_resource_from_kbs
does)
Also, get_resource_from_kbs
is a little different from get_key_from_kbs
. The later will flush the memory after using the key using Zeroizing
There is some different of both api which confuses, let me fix this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: To be compatible with this PR, image-rs
may need some updates and its existing resource acquisition format will no longer be available, right? @Xynnn007
97806ac
to
76d6acd
Compare
Yes, we need to remove the hardcodes in image-rs and give a configuration of image-rs for the resources needed. This work should be delayed after 0.4.0 is released. Let's perfect the system for 0.5.0 : ) |
There are some conflicts in the code for ttrpc things.. let me finish some tiny fixes and then rebase the code. |
1bc6918
to
c2a99f0
Compare
@Xynnn007 Sounds great! Since the changes in this PR will affect the code availability of cc @fitzthum |
@Xynnn007 In view of the fact that the KBS address part of the KBS URI is not actually consumed at present, we actually use the KBS address specified in the
This can avoid confusion for users now. |
Yea, I have no preference for either option
Does it look good? |
@Xynnn007 That's OK. In fact, whether we use Meanwhile, in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I also prefer the adjustment that @jialez0 mentions regarding the URI, but we can do that later.
key_id in the AnnotationPacket will follow the KBS URI format. Different KBCs will index the corresponding keu due to the uri. Signed-off-by: Xynnn007 <[email protected]>
now get_resource API receives a kbs uri to indicate the confidential resource to be requested Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Now if the request resource `type` in kbs uri is `"client-id"`, the responsed resource will be the client id. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
please refer to https://github.com/confidential-containers/attestation-agent/issues/130 for more information Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
To avoid confusing, a uri pointing to a resource is named kbs resource uri. A kbs uri stands for the uri of the kbs. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
As confidential-containers/guest-components#191, this PR includes the following
Please notice that all the
<kbs-addr>
field in a kbs uri now will be ignored, all kbc will use its own memberkbs_url
instead.Also, this PR modifies the gRPC API of
get_resource
, as duplicated information is carried in the kbs uri